diff for duplicates of <1505025984.3224.35.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 11a154b..d31aabe 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -23,26 +23,21 @@ On Thu, 2017-09-07 at 11:19 -0700, Linus Torvalds wrote: > Tell me why I'm wrong, or tell me why that garbage made it in in the > first place? -I'm really sorry for the long delay in responding. ?I've been on +I'm really sorry for the long delay in responding. I've been on vacation the last week, mostly without cell phone and very limited -wifi access.? +wifi access. True, there is a side case where integrity_read_file() is being called -without first taking the i_rwsem. ?This side case permits signed x509 +without first taking the i_rwsem. This side case permits signed x509 certificates to be loaded onto the trusted IMA/EVM keyrings, without verifying the file signature stored as security.ima/security.evm -xattrs. ?Basically, the xattr signatures can not be verified until the -keys are loaded. ?The main use case is embedded systems which do not -have an initramfs, but have a specially crafted init script. ?It -requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. ?The +xattrs. Basically, the xattr signatures can not be verified until the +keys are loaded. The main use case is embedded systems which do not +have an initramfs, but have a specially crafted init script. It +requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. The new VFS integrity_read() file operation method would not be called. The main use case for the new VFS integrity_read() file operation method is to calculate the file hash, as Christoph described. Mimi - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index bf97041..2a8a184 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,9 +1,12 @@ "ref\0alpine.LRH.2.21.1709041959220.27950@namei.org\0" "ref\0CA+55aFw8wgA+jhBOhnY-TSdbPgiYcrFiipCV=rsS1=GQEN+JgQ@mail.gmail.com\0" - "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" - "Subject\0[GIT PULL] Security subsystem updates for 4.14\0" + "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" + "Subject\0Re: [GIT PULL] Security subsystem updates for 4.14\0" "Date\0Sun, 10 Sep 2017 02:46:24 -0400\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Linus Torvalds <torvalds@linux-foundation.org>" + " James Morris <jmorris@namei.org>\0" + "Cc\0Linux Kernel Mailing List <linux-kernel@vger.kernel.org>" + " LSM List <linux-security-module@vger.kernel.org>\0" "\00:1\0" "b\0" "On Thu, 2017-09-07 at 11:19 -0700, Linus Torvalds wrote:\n" @@ -31,28 +34,23 @@ "> Tell me why I'm wrong, or tell me why that garbage made it in in the\n" "> first place?\n" "\n" - "I'm really sorry for the long delay in responding. ?I've been on\n" + "I'm really sorry for the long delay in responding. \302\240I've been on\n" "vacation the last week, mostly without cell phone and very limited\n" - "wifi access.?\n" + "wifi access.\302\240\n" "\n" "True, there is a side case where integrity_read_file() is being called\n" - "without first taking the i_rwsem. ?This side case permits signed x509\n" + "without first taking the i_rwsem. \302\240This side case permits signed x509\n" "certificates to be loaded onto the trusted IMA/EVM keyrings, without\n" "verifying the file signature stored as security.ima/security.evm\n" - "xattrs. ?Basically, the xattr signatures can not be verified until the\n" - "keys are loaded. ?The main use case is embedded systems which do not\n" - "have an initramfs, but have a specially crafted init script. ?It\n" - "requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. ?The\n" + "xattrs. \302\240Basically, the xattr signatures can not be verified until the\n" + "keys are loaded. \302\240The main use case is embedded systems which do not\n" + "have an initramfs, but have a specially crafted init script. \302\240It\n" + "requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. \302\240The\n" "new VFS integrity_read() file operation method would not be called.\n" "\n" "The main use case for the new VFS integrity_read() file operation\n" "method is to calculate the file hash, as Christoph described.\n" "\n" - "Mimi\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + Mimi -17a1a3a1856bf15643dd39f310da8284bc63128e5164001a5cec0bcef6a61b08 +b03a118a60e42aedddfe533664d860cec02d70104e68c01dbcdee381e097df68
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.